analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://www.mapsvoyage.com:80/v/lib/mng-bg.html?t\=project-frm&cb\=1289268

Full analysis: https://app.any.run/tasks/48b0b0ec-14db-41e1-85b2-1a955c266e65
Verdict: Malicious activity
Analysis date: January 10, 2019, 16:06:51
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

3CF89AE0C8C283C0E1970C1CEE69DDDE

SHA1:

A2AFE2F0870ED1E53D76C9E027B441C10A5CA6D7

SHA256:

453C56E566D5254DC8A98BCEEE61858B6C4CBB1AE80EF305F5679BB05736EEB8

SSDEEP:

3:N1KJS4UAidWSMq2C6IDIUR5aUtSdcXR:Cc4qdoq2C+USUtuU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Reads CPU info

      • firefox.exe (PID: 2488)
      • firefox.exe (PID: 2980)
      • firefox.exe (PID: 2480)
      • firefox.exe (PID: 2888)
      • firefox.exe (PID: 2604)

    • Application launched itself

      • firefox.exe (PID: 2980)

    • Creates files in the user directory

      • firefox.exe (PID: 2980)

    • Dropped object may contain Bitcoin addresses

      • firefox.exe (PID: 2980)

    • Reads settings of System Certificates

      • firefox.exe (PID: 2980)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
5
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start firefox.exe firefox.exe firefox.exe firefox.exe firefox.exe

Process information

PID
CMD
Path
Indicators
Parent process
2980"C:\Program Files\Mozilla Firefox\firefox.exe" http://www.mapsvoyage.com:80/v/lib/mng-bg.html?t\=project-frm&cb\=1289268C:\Program Files\Mozilla Firefox\firefox.exe
explorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
61.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\version.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
2604"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2980.0.980185700\1912493366" -childID 1 -isForBrowser -prefsHandle 1436 -prefsLen 8310 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2980 "\\.\pipe\gecko-crash-server-pipe.2980" 1484 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
61.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\version.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
2888"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2980.6.915471901\70391030" -childID 2 -isForBrowser -prefsHandle 2576 -prefsLen 11442 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2980 "\\.\pipe\gecko-crash-server-pipe.2980" 2052 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
61.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\version.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
2488"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2980.12.969738700\1297441576" -childID 3 -isForBrowser -prefsHandle 2516 -prefsLen 12017 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2980 "\\.\pipe\gecko-crash-server-pipe.2980" 2512 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
61.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\version.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
2480"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2980.18.1763094788\152778828" -childID 4 -isForBrowser -prefsHandle 1332 -prefsLen 12017 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2980 "\\.\pipe\gecko-crash-server-pipe.2980" 3356 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
61.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\version.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
Total events
603
Read events
591
Write events
12
Delete events
0

Modification events

(PID) Process:(2980) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2980) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(2980) firefox.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
0
Suspicious files
166
Text files
33
Unknown types
64

Dropped files

PID
Process
Filename
Type
2980firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm
MD5:
SHA256:
2980firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp
MD5:
SHA256:
2980firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js
MD5:
SHA256:
2980firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm
MD5:
SHA256:
2980firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\block-flash-digest256.sbstorebinary
MD5:0E8FE60CCD7E9B4C32589A5743A95302
SHA256:2B124D4026850A3CFFD28DBACB58AEC28F7DCD4D40BC14E52BBE96D60CE4E749
2980firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\base-track-digest256.sbstorebinary
MD5:CD82F4495EAFE523B9B6B938C828611B
SHA256:576A0D2C3AD8D66BB202439B18F9FD563F92D9DDD9582A3C4CCE0ECAFD4F0908
2980firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\urlCache-current.binbinary
MD5:707C12070C52E55C2A996AC15E219B95
SHA256:6C5410C655C8EFC48D123ABE708C8940A4218072C0DAF85E03AB45DA6D2CE6B9
2980firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.jstext
MD5:71B3221766E9AAD11270F777F280C381
SHA256:0CD57F433375F357393D170CC3A6E2F2895351C80F31DBC03F0AF66B76793A32
2980firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\cache2\entries\9A773A53CEAFC5C216EE35A46ED269F07F4FF62Cder
MD5:BDF4039B86FDA29A6D49E4B47FD8119E
SHA256:EE7914FB70ABC5F11ED81E247F1904AC64FB959B8A6BC2B5363039A3EF0CC97E
2980firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\except-flash-digest256.sbstorebinary
MD5:C921D8E98FA01B4F303481E112202E92
SHA256:4EF1038730EC8BC7206713C29A936768831B922C5E6C83355FD62D7401D8C1DC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
30
TCP/UDP connections
54
DNS requests
123
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2980
firefox.exe
GET
302
74.120.19.87:80
http://www.mapsvoyage.com/v/lib/mng-bg.html?t\=project-frm&cb\=1289268
US
malicious
2980
firefox.exe
GET
200
74.120.19.115:80
http://www.gdprcountryrestriction.com/img/hero-bg.png
US
image
233 Kb
whitelisted
2980
firefox.exe
GET
74.120.19.115:80
http://www.gdprcountryrestriction.com/favicon.ico
US
whitelisted
2980
firefox.exe
GET
200
74.120.19.115:80
http://www.gdprcountryrestriction.com/img/bg-photo.jpg
US
image
671 Kb
whitelisted
2980
firefox.exe
GET
200
74.120.19.115:80
http://www.gdprcountryrestriction.com/
US
html
1.10 Kb
whitelisted
2980
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
2980
firefox.exe
POST
200
216.58.207.78:80
http://ocsp.pki.goog/GTSGIAG3
US
der
463 b
whitelisted
2980
firefox.exe
POST
200
93.184.220.29:80
http://status.thawte.com/
US
der
471 b
whitelisted
2980
firefox.exe
GET
302
74.120.19.87:80
http://mapsvoyage.com/
US
malicious
2980
firefox.exe
POST
200
216.58.207.78:80
http://ocsp.pki.goog/GTSGIAG3
US
der
463 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2980
firefox.exe
2.16.186.50:80
detectportal.firefox.com
Akamai International B.V.
whitelisted
2980
firefox.exe
74.120.19.115:80
www.gdprcountryrestriction.com
US
malicious
2980
firefox.exe
74.120.19.87:80
www.mapsvoyage.com
US
malicious
2980
firefox.exe
34.216.89.123:443
search.services.mozilla.com
Amazon.com, Inc.
US
unknown
2980
firefox.exe
52.41.60.30:443
tiles.services.mozilla.com
Amazon.com, Inc.
US
unknown
2980
firefox.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2980
firefox.exe
172.217.23.168:443
www-googletagmanager.l.google.com
Google Inc.
US
whitelisted
2980
firefox.exe
216.58.207.74:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted
2980
firefox.exe
216.58.207.78:80
ocsp.pki.goog
Google Inc.
US
whitelisted
2980
firefox.exe
172.217.22.14:443
www.google-analytics.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
www.mapsvoyage.com
  • 74.120.19.87
malicious
detectportal.firefox.com
  • 2.16.186.50
  • 2.16.186.112
whitelisted
a1089.dscd.akamai.net
  • 2.16.186.112
  • 2.16.186.50
whitelisted
search.services.mozilla.com
  • 34.216.89.123
  • 52.27.184.151
  • 52.89.32.107
whitelisted
search.r53-2.services.mozilla.com
  • 52.89.32.107
  • 52.27.184.151
  • 34.216.89.123
whitelisted
tiles.services.mozilla.com
  • 52.41.60.30
  • 52.39.131.77
  • 52.10.130.148
  • 52.34.107.172
  • 52.25.70.97
  • 35.166.45.24
  • 52.40.109.206
  • 34.216.156.21
  • 52.43.40.243
  • 54.187.46.234
  • 52.41.78.152
whitelisted
tiles.r53-2.services.mozilla.com
  • 34.216.156.21
  • 52.40.109.206
  • 35.166.45.24
  • 52.25.70.97
  • 52.34.107.172
  • 52.10.130.148
  • 52.39.131.77
  • 52.41.60.30
  • 52.41.78.152
  • 54.187.46.234
  • 52.43.40.243
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
cs9.wac.phicdn.net
  • 93.184.220.29
whitelisted
www.gdprcountryrestriction.com
  • 74.120.19.115
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://www.mapsvoyage.com:80/v/lib/mng-bg.html?t\=project-frm&cb\=1289268